[nSLUG] Looking for a DNS secondary partner
D G Teed
donald.teed at gmail.com
Tue May 5 10:13:13 ADT 2009
On Mon, May 4, 2009 at 3:12 PM, Ian Campbell <ian at slu.ms> wrote:
> Skimming the thread again, I see nobody mentioned the allow_url_fopen
> option for PHP. It will disable that (frankly idiotic) default
> behaviour where PHP lets include/require/file_get_contents etc. open
> remote urls if you set it to false in php.ini.
Thanks for mentioning this option. Worthwhile for anyone to know about.
After we found the problem, we implemented that setting,
also allow_url_include as well. I agree it is a stupid default
setting, and we'll add it to the things we have to change after an install.
You can write secure code in any language, you can write insecure code
> in any language. PHP doesn't make it significantly easier to shoot
> yourself in the foot than perl/ruby/python/C/whatever if the coders
> aren't going to validate input to begin with.
The problem is php provides a low entry bar for novices
to try a few lines of code. The file we found the problem in
was using php includes in place of anchors and a little copy
and paste. There was no other purpose for the
php code being used - very rudimentary level of knowledge
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG